pkinit kinit/krb5.conf naming inconsistencies

Kevin Coffman kwc at
Mon Sep 15 11:23:53 EDT 2008

On Mon, Sep 15, 2008 at 10:01 AM, Nicolas Williams
<Nicolas.Williams at> wrote:
> On Sat, Sep 13, 2008 at 07:51:09PM -0400, Kevin Coffman wrote:
>> On Thu, Sep 11, 2008 at 1:33 AM, Glenn Barry <Glenn.Barry at> wrote:
>> > Is there a good reason for these to be diff?
>> Hi Glenn,
>> Yes, as I recall, there was.
>> We were making an effort to match the options in the config file with
>> those used by Heimdal where possible.
>> For the "-X" preauth options, Sam did not want them to be
>> pkinit-specific since they could possibly be used with other preauth
>> methods in the future.
> That makes sense, but perhaps the right answer would be to provide
> Heimdal-compatible aliases for use in krb5.conf while having the same
> canonical parameter names for both, krb5.conf and kinit -x.
> It's one thing to be compatible with another implementation's
> configuration parameter names.  It's another to make things confusing
> for the user.  We can have the former without the latter.  Yes, it's
> more code -- how much more depends on whether the parameter value
> syntaxes can be compatible even with diff. param. names -- but from a UI
> p.o.v. it's quite useful.
> Nico
> --

I'm not arguing your points, but my opinion is that the "normal" user
is/was going to see a command-line UI difference between Heimdal and
MIT in any case.  The "normal" user will not notice the difference
between MIT command-line and config file because they will never deal
with the config file.


More information about the krbdev mailing list